What Is DNS Over HTTPS (DoH)? Encrypted DNS and Your Resolver Explained
DNS over HTTPS, usually shortened to DoH, is a method that encrypts DNS queries by sending them through the same secure channel your browser already uses for websites. Every time you type a domain name, your device asks a DNS resolver to translate that name into an IP address. With classic DNS, that lookup travels in plain text — so your internet service provider, network operators, or anyone watching the connection can read every site you visit. DoH closes that gap.
In this article you’ll learn what DNS over HTTPS is, how it protects your DNS traffic, how it compares to DNS over TLS, and how to turn on DoH in your browser or system.
What Is DNS Over HTTPS (DoH)?
DNS over HTTPS is a protocol that wraps your DNS requests inside protected HTTPS. Instead of sending a lookup over the plain, unencrypted DNS channel, DoH works by using the HTTPS protocol to carry your DNS query to a DoH server. The resolver on the other end reads the request, maps that DNS name to its address, and sends the answer back.
The DoH client uses HTTPS to send the request, so its traffic looks like regular HTTPS traffic. A DoH resolver behaves like any HTTPS server and listens on the same port used for secure pages, so DNS queries and responses blend in with everything else. That is the core idea: turn a visible lookup into a private exchange.
The standard was published as RFC 8484 and has since been adopted by major platforms and DNS providers. When you use DoH, your lookups stop being an open book.
How Standard DNS Works — and Why It Leaks
The domain name system is the internet’s address book. Most people use DNS every day without thinking about it. When you request a site, a recursive DNS resolver walks through the DNS infrastructure to find the right server and returns the address. The classic DNS protocol runs over port 53 with no encryption at all.
That design is fast, but it exposes everything. Plain DNS lets your ISP log every domain you look up. Using DNS over HTTPS, that record stays private. Because the query is readable, DNS is exposed to eavesdropping and manipulation of DNS data by man-in-the-middle attacks — including DNS spoofing and DNS cache poisoning, where an attacker feeds your device a fake answer and sends you to a malicious site.
For a closer look at how lookups and addressing work, our explainer on how the internet works with addresses breaks it down.
How DNS Over HTTPS Encrypts Your DNS Queries
DoH protects DNS requests and responses alike. It fixes the exposure by moving the conversation onto an encrypted path. Here is the flow:
- Your DoH client bundles a DNS query into an HTTPS request.
- That request travels to a DoH resolver over the standard HTTPS port.
- TLS encryption keeps the exchange between the DoH client and the DoH-based DNS resolver private.
- The DoH server returns the answer, still encrypted.
By using TLS to encrypt the data, DoH increases privacy and security by preventing eavesdropping on your DNS lookups. Nobody on the path — not your provider, not a rogue Wi-Fi hotspot — can see which domains you request. This is the same protection that shields your logins and payments, now applied to DNS resolution.
DoH vs DNS Over TLS: The Difference Between DNS Encryption Methods
DoH is not the only way to encrypt DNS. DNS over TLS, or DoT, is a close cousin. Both DoH and DoT rely on the same underlying encryption to protect DNS traffic, but they differ in how they blend into the network.
DoH uses port 443, the same port already used for web traffic, so DoH traffic is hard to single out from everything else. DNS over TLS uses a dedicated port (853), which makes DoT traffic easy to spot and easy for a network to block. That is the main distinction here: DoT is tidy and identifiable, while DoH hides in plain sight.
Neither is strictly better — DoT is popular at the system level, while DoH is the default choice inside browsers.
Why DoH Matters for Privacy and Security
For most people, the appeal of DoH comes down to privacy and security. Normal DNS quietly reveals your browsing to whoever runs the network. Encrypting the DNS layer removes one of the easiest ways to profile you online.
DoH helps in a few concrete ways:
- DNS privacy. Your DNS provider still sees your queries, but your local network no longer does.
- Protection from tampering. Encryption helps prevent DNS tampering such as spoofing and cache poisoning.
- Fewer leaks. Combined with other tools, DoH reduces the trail you leave behind.
DoH pairs well with broader privacy habits. If you are building a more private setup, anonymous browsing and WebRTC IP leaks are both worth a read.
Which Browsers and Operating Systems Support DNS Over HTTPS
Support for DoH is now widespread, and modern DNS clients understand the protocol. Most modern software supports DNS over HTTPS out of the box:
- Firefox turned on DNS over HTTPS by default for many users, routing queries to a trusted DoH provider.
- Chrome and Edge include a setting that turns on DNS over HTTPS when your chosen DNS server offers it.
- Windows 11 and recent Linux and macOS builds have implemented DNS over HTTPS at the operating system level, so every app benefits, not just one browser.
As more platforms adopt DNS over HTTPS, you may already be using DoH without realizing it.
How to Enable DNS Over HTTPS
You can enable DoH in a few minutes. The exact path depends on your software, but the idea is the same: point your DNS configuration at a DoH provider and switch encrypted DNS on.
In a browser, open Settings, find the Secure DNS control, and pick a provider or enter a custom DoH server URL. To set it up system-wide, configure the DNS settings in your operating system and point your device at a DoH-capable DNS server. As a standard for encrypting DNS queries, DoH is easy to switch on and just as easy to turn off later.
Cloudflare’s 1.1.1.1, Google, and Quad9 are common third-party DNS options that support DoH. Once configured, your device will encrypt DNS queries automatically.
If you ever need to test your setup, how to check if your VPN is working covers related DNS leak testing.
DoH as a DNS Security Solution — and Its Limits
DoH is a solid security tool, but it is not a full privacy layer. It encrypts DNS between you and the resolver, yet that resolver still sees every domain name you request. It also does not hide your IP from the sites you visit, or from your provider once the connection is made.
Some networks also try to filter DoH to keep their own DNS-based controls in place. An enterprise may switch DoH off so its security filter can still inspect lookups, and because it can sidestep network-level DNS filtering, some administrators turn it off on managed devices.
That is why a private DNS service works best alongside a VPN, which encrypts your whole connection and masks your IP address — not just your DNS queries.
Protect Every Layer with Planet VPN
DNS over HTTPS protects one important part of your connection. A VPN protects the rest. When you connect through Planet VPN, all of your traffic — DNS queries included — travels through a secure tunnel, and your real address stays hidden from the sites you visit.
Planet VPN’s free plan gives you core protection at no cost, with access to multiple locations. When you want more locations and higher speed, Premium has you covered.
- Start free on the Planet VPN homepage.
- Download Planet VPN for your device.
- Compare plans to find the right fit.
Pair private DNS with a VPN, and you close the gaps that DoH alone leaves open.
Frequently Asked Questions
Should you use DNS over HTTPS?
For most people, yes. DoH encrypts your DNS queries so your provider and local network cannot log the sites you look up. If you value DNS privacy, turning on DNS over HTTPS is a low-effort win. Just remember your DoH provider still sees your queries, so pick one you trust.
Why disable DNS over HTTPS?
Some users disable DoH because it can interfere with network-level tools. Parental controls, workplace security filters, and some antivirus products rely on classic DNS to inspect traffic. On a managed network, an administrator may block DoH so those protections keep working.
Is DNS over HTTPS suspicious?
No. Its traffic looks like ordinary web traffic because it shares the same port, and it is a published internet standard. It is not inherently suspicious — though a few networks flag it simply because DoH makes their monitoring harder.
Is 1.1.1.1 DNS over HTTPS?
Cloudflare’s 1.1.1.1 works with DNS over HTTPS, yes. You can point your browser or system at 1.1.1.1 as a DoH provider, and it will protect DNS queries over the HTTPS protocol. It also works over encrypted channels for clients that prefer DoT.
Is my DNS over HTTPS?
Check your browser’s DNS controls or your device’s network options. If encrypted DNS is selected and the option is switched on, your DNS queries stay private. Cloudflare and others also offer test pages that confirm whether your resolver is using DoH.
Is 1.1.1.1 banned?
In most places, no. Cloudflare’s 1.1.1.1 resolver is widely available. A handful of ISPs or countries have restricted access to it at times, usually to keep their own DNS filtering in place, but for the vast majority of users it works normally.